Your message dated Sun, 24 Dec 2023 18:32:09 +0000
with message-id <[email protected]>
and subject line Bug#1057455: fixed in fish 3.6.0-3.1+deb12u1
has caused the Debian Bug report #1057455,
regarding fish: CVE-2023-49284
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1057455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057455
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fish
Version: 3.6.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for fish.
CVE-2023-49284[0]:
| fish is a smart and user-friendly command line shell for macOS,
| Linux, and the rest of the family. fish shell uses certain Unicode
| non-characters internally for marking wildcards and expansions. It
| will incorrectly allow these markers to be read on command
| substitution output, rather than transforming them into a safe
| internal representation. While this may cause unexpected behavior
| with direct input (for example, echo \UFDD2HOME has the same output
| as echo $HOME), this may become a minor security problem if the
| output is being fed from an external program into a command
| substitution where this output may not be expected. This design flaw
| was introduced in very early versions of fish, predating the version
| control system, and is thought to be present in every version of
| fish released in the last 15 years or more, although with different
| characters. Code execution does not appear to be possible, but
| denial of service (through large brace expansion) or information
| disclosure (such as variable expansion) is potentially possible
| under certain circumstances. fish shell 3.6.2 has been released to
| correct this issue. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-49284
https://www.cve.org/CVERecord?id=CVE-2023-49284
[1]
https://github.com/fish-shell/fish-shell/security/advisories/GHSA-2j9r-pm96-wp4f
[2]
https://github.com/fish-shell/fish-shell/commit/09986f5563e31e2c900a606438f1d60d008f3a14
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fish
Source-Version: 3.6.0-3.1+deb12u1
Done: Mo Zhou <[email protected]>
We believe that the bug you reported is fixed in the latest version of
fish, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mo Zhou <[email protected]> (supplier of updated fish package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 21 Dec 2023 14:47:56 -0500
Source: fish
Architecture: source
Version: 3.6.0-3.1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Tristan Seligmann <[email protected]>
Changed-By: Mo Zhou <[email protected]>
Closes: 1057455
Changes:
fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium
.
* Cherry-pick upstream fix for CVE-2023-49284. (Closes: #1057455)
fish shell uses certain Unicode non-characters internally for marking
wildcards and expansions. It will incorrectly allow these markers to be
read on command substitution output, rather than transforming them into
a safe internal representation.
Checksums-Sha1:
7f77e40a90a38b8cc1c7cd95d4d11a10ba66bcac 2342 fish_3.6.0-3.1+deb12u1.dsc
ac30fa9d42b3119496f40e1194bf60079c85c5c5 21084
fish_3.6.0-3.1+deb12u1.debian.tar.xz
0cd536a7ea23a450b3404a09e8b34ab7b428bb49 8278
fish_3.6.0-3.1+deb12u1_source.buildinfo
Checksums-Sha256:
0a88b1a0fb01d8aaecd2e7e5074db9e13fd415503b306da8e9670cd89e26242b 2342
fish_3.6.0-3.1+deb12u1.dsc
21d391440fac547ce9c4b67f9c9be580372da9b8ab8cee6ec781aa859685cf08 21084
fish_3.6.0-3.1+deb12u1.debian.tar.xz
79cefb698b80ee02bc377f96ae6b41b11f2bbf0a1c083e6c61150dad67308ad9 8278
fish_3.6.0-3.1+deb12u1_source.buildinfo
Files:
84e2d5ddb40774ef9275df5f4aa9bc4b 2342 shells optional
fish_3.6.0-3.1+deb12u1.dsc
1b09e26f87f16010e5d4abd515e605a2 21084 shells optional
fish_3.6.0-3.1+deb12u1.debian.tar.xz
faba747ba0735b8f6522e81196f95e64 8278 shells optional
fish_3.6.0-3.1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEY4vHXsHlxYkGfjXeYmRes19oaooFAmWGaswRHGx1bWluQGRl
Ymlhbi5vcmcACgkQYmRes19oaorL0RAAlat7HxzTaFhnBnOYcZZbh0fMezusmep1
a133B/lri0C0OlSoLLDNvOjJQrVbfyfUyEXJnFtq4+TsCaFs5mJ73YPK+yXcUJf1
55RmyfT0yYL2tK8WKCVLMy4UC8JbC2hmB7GBzk8eHjQ7h3W8eTNQkM54C+bGCFyK
hfc7OJmPOe44gujvCVqLded1b4mxPF0UYYLFVSyYI4A73KIlmn3z0UW4z305iWUK
+fTHi/YQ1wdHT0Mhicu+WaCFsNAA1Em445s2H2TcXxy7S1zV/QYkG4SsUJwDpni/
g5q/8p64fYhwAh8PNNU1i8JhS3gCz/Nzdj9ugoP6Z9pVv1HBWuJUeaAgX28QAP0t
7tc8Rq/aF5LPFviVAdfi3xSe3WPyznZ7DuhC5ua2nfVQmyxLy/sINfQ+RDGBtevi
CPUO4bKY4lhcPfvTRY4wEpEEBQXilleuq/om2zLhmII5L3rKME1mIob/+Dc4GcWi
mMz9HNMDfyIbN/eIW8YaGANajInzORRtpjRDHSs7lVR52C93Zu2RpDoZY7a4E58J
DywhHOvZpKlExSwmsTGr9++hoXb2IKxo81oce1XTcS/WOUDuNOkEXlozDDZXevRg
tg6Lekh55NjVdBkHMmYhr2ND6PHcOrEEL34ByxeXatSqXY3/Cn5gnw4uydZHPR6Z
ivVJZ79LEoU=
=UprW
-----END PGP SIGNATURE-----
--- End Message ---
